User-centric security should be central to cloud IAM practice

Cyber ​​attacks, phishing and ransomware incidents are mostly user-facilitated threats; their success is based on human interaction. Relying solely on the next generation of technology to solve this problem is wrong; we cannot address a human problem with technology alone.

Security needs to move to a more people-centric approach because ultimately individuals need access, whose identities need to be managed and who need to be authenticated, and people are currently enabling failures, even when this is inadvertently. We must recognize that this is fundamentally a human challenge, not just a technological one. By prioritizing human factors in our security strategy, we can build a more effective and resilient position against cyber attacks, phishing and ransomware.

This challenge is not new; it may seem that way because we frame it as IT-centric. in reality, identity and access management (IAM) has been a fundamental practice for centuries, rooted in the principles of least privilege and the need to know. What we often overlook is the importance of understanding our underlying information assets and identifying who really needs access to them. By facilitating that access in a seamless way, we improve the user experience while maintaining security. If we restructured our information assets to be more logical, easier to use, and aligned with business functions, we could significantly improve our ability to manage access effectively.

Training and awareness continue to be neglected and underfunded, while technology receives a greater share of attention and budget. Numerous reports, surveys and presentations from security industry leaders consistently emphasize that effective training is crucial to improving our resilience to attacks. It’s time to prioritize investment in training and awareness, recognizing them as vital components of a robust security strategy.

Technologies play a supporting role in combating these attacks, but ultimately depend on individuals to make the right choices. To build an effective defense, we need to empower well-trained, security-aware personnel who are supported by the right technology. Instead of forcing IT to impose access restrictions arbitrarily, let’s engage our teams in identifying their access needs. By prioritizing collaboration and understanding, we can create a security framework that truly protects both our people and our organization.

Additionally, we must recognize that overly restrictive security practices can lead individuals to engage in risky behaviors, especially when they struggle to perform their tasks effectively. Just as laws differ in their approach, security policies should not mirror a Napoleonic framework, where users are limited to only what they are explicitly allowed to do. Instead, we should adopt a model that empowers users to fulfill their roles while maintaining security. It is essential for security teams to work with employees to identify solutions that enable safe and effective workplace performance, fostering a culture of trust and accountability.

Letting go of rigid rules is essential to progress, but it’s understandable that security professionals might feel hesitant because clear rules can be a comfort to some. User-centric security should be the future of true resilience.